Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #15194: Fix command injection via RestAPI / Password Store

Component Core & setup
Title Fix command injection via RestAPI / Password Store
Date Aug 2, 2023
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.2.0p8 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.1.0p32 Checkmk Community, Checkmk Pro, Checkmk Ultimate MT
2.0.0p38 Checkmk Community, Checkmk Pro, Checkmk Ultimate MT

Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site.

This issue was found during internal code review.

Affected Versions: * 2.0.0 * 2.1.0 * 2.2.0 prior to version 2.2.0p4

Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889.

Indicators of Compromise: Check the password store for passwords with unusual identifiers, review add-password events in the audit log.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We have assigned CVE CVE-2023-31209.

Changes: This Werk adds proper sanitization of the affected parameter on core commands.

To the list of all Werks